Attribute Lookup in Extension

[Christopher Bongaarts]

On 9/17/2018 1:48 PM, Cantor, Scott wrote:
> On 9/17/18, 1:59 PM, "Christopher Bongaarts" <cab at umn.edu> wrote:
>
>> One thing I found helpful in understanding this was to examine the
>> existing (system) flows that call a ResolveAttributes action, and
>> compare how different flows invoke it in different ways at different times.
> Certainly one can, but the "major" flows are very complex and hard to follow at first, and in this specific instance, I'm just saying that the interceptors run at a point where all the data has been collected already in the normal way and the usual need is just to access it via the AttributeContext, per the diagram of the tree on the page I referenced.
>
> That's how they existing ones (expiring-password, context-check, and even attribute-release) get at them.

Most definitely - if you can take care of something using the intercept 
mechanism, your life will be free and easy.

> What you *don’t* want to do is ever wire up copies of our action beans and/or directly copy our flows when the beans reference those impl classes. They're not API and they're all subject to change at any time, and any upgrade could break them.

After migrating to the MFA flow and built-in lockout support, I think 
I'm down to just a handful of tweaks to the system/flows/authn flows 'n' 
beans (mostly to support our local audit log and a legacy auth cookie).  
3.4 has some nice stuff coming that will let me trim down or eliminate 
some of our Java code too.

-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%